[Snort-users] Guardian

Matt Kettler mkettler at ...4108...
Sun Jul 18 19:28:02 EDT 2004

At 04:27 PM 7/18/2004, Muhammad Novansarosa wrote:
>can i block MAC @ with guardian ?
>i had modified it, but still cannot block it

By MAC address??? I'd be very surprised.

Snort isn't particularly mac-address oriented.

Depending what kernel level firewall you're having guardian configure you 
might be able to do it there directly, but I'd be surprised if either snort 
or guardian could trigger an event based only on the source MAC of a packet.

I'm pretty sure linux 2.4x's netfilter is capable of this if you've 
compiled your kernel with the "MAC Address match support" option.

It seems out-of-place to use an IDS to do something trivial like block a 
MAC or IP address. Firewall scripts do that kind of thing on their own 
pretty easily.

More information about the Snort-users mailing list